diff options
author | Matthias Andree <matthias.andree@gmx.de> | 2005-10-29 14:03:35 +0000 |
---|---|---|
committer | Matthias Andree <matthias.andree@gmx.de> | 2005-10-29 14:03:35 +0000 |
commit | 71afdc215eaa15ffc6e6ec7a60390bd2b66d84e7 (patch) | |
tree | e47ac8f9936bfb57c3a09eb217b105d31f898d55 /NEWS | |
parent | 68e2e0521de07dc8b6fed01b0608496f2569c090 (diff) | |
download | fetchmail-71afdc215eaa15ffc6e6ec7a60390bd2b66d84e7.tar.gz fetchmail-71afdc215eaa15ffc6e6ec7a60390bd2b66d84e7.tar.bz2 fetchmail-71afdc215eaa15ffc6e6ec7a60390bd2b66d84e7.zip |
Clean up SECURITY FIXES section.
svn path=/trunk/; revision=4371
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 12 |
1 files changed, 6 insertions, 6 deletions
@@ -9,15 +9,15 @@ Abbreviations: MA = Matthias Andree, ESR = Eric S. Raymond, RF = Rob Funk) fetchmail 6.3.0 (not yet released officially): -# SECURITY FIX -* The POP3 UIDL code doesn't sufficiently validate/truncate the input +# SECURITY FIXES IN THIS RELEASE +* CVE-2005-2335: The POP3 UIDL code doesn't sufficiently validate/truncate the input length, so a (malicious or compromised) server that sends UIDs longer than 128 bytes can corrupt fetchmail's stack and crash fetchmail. This vulnerability is remotely exploitable to inject code run in a - root shell. This is tracked under the CVE Name: CAN-2005-2335 -* fetchmailconf now changes the output file to mode 0600 BEFORE writing to it, - so there is no window where passwords could be read by the world. - Matthias Andree. + root shell. Edward J. Shornock, Ludwig Nussel. fetchmail-SA-2005-01.txt +* CVE-2005-3088: fetchmailconf now changes the output file to mode 0600 BEFORE + writing to it, so there is no window where passwords could be read by the + world. Matthias Andree. fetchmail-SA-2005-02.txt # MAJOR INCOMPATIBLE CHANGES * Remove support for --netsec/-T options, the required inet6_apps library is no |